Developing a Security Policy

This article discusses the importance of security policies for organizations that plan to use electronic commerce on the Internet; for government organizations that want to automate forms processing; and for any entity that
may have external exposure of data processing environments. These organizations need some form of security architecture. This article also describes the basic steps through which security policies are developed and includes a set of recommended policy components.

Like this article? We recommend

Like this article? We recommend

A security policy is the essential basis on which an effective and
comprehensive security program can be developed. This critical component of the
overall security architecture, however, is often overlooked. A security policy
is the primary way in which management's expectations for security are
translated into specific, measurable, and testable goals and objectives. It is
crucial to take a top down approach based on a well-stated policy in order to
develop an effective security architecture. Conversely, if there isn't a
security policy defining and communicating those decisions, then they will be
made by the individuals building, installing, and maintaining computer systems;
and this will result in a disparate and less than optimal security architecture
being implemented.

This article discusses the importance of security policies for organizations
that plan to use electronic commerce on the Internet; for government
organizations that want to automate forms processing; and for any entity that
may have external exposure of data processing environments. These organizations
need some form of security architecture. This article also describes the basic
steps through which security policies are developed and includes a set of
recommended policy components.

In addition, this article is accompanied by a Data Security Policy -
Structure and Guidelines template that was built on the recommendations made
in this article. The template provides commentary; specific recommendations on
all of the security topics chosen for the policy; and a detailed list of
security policy principles. The template is available from:

Provide an overview of the necessity and criticality of security
policies.

Recommend a set of security policy principles that capture
management's primary security objectives.

Describe the basic characteristics of security policies.

Describe a process for developing security policies.

Security Principles

The definition of security principles is an important first step in security
policy development as they dictate the specific type and nature of security
policies most applicable to one's environment. Security principles are used
to define a foundation upon which security policies can be further defined.
Organizations should evaluate and review these security principles before and
after the development and elaboration of security policies. This will ensure
that management's expectations for security and fundamental business
requirements are satisfied during the development and management of the security
policies.

The security policies developed must establish a consistent notion of what is
and what is not permitted with respect to control of access to your data and
processing resources. They must respond to the business, technical, legal, and
regulatory environment in which your organization operates.

The principles here are based upon the following goals:

Ensure the availability of data and processing resources.

Provide assurance for the confidentiality and integrity of customer data
and allow for the compartmentalization of risk for customers and your
organization.

Ensure the integrity of data processing operations and protect them from
unauthorized use.

Ensure the confidentiality of the customer's and your processed
data, and prevent unauthorized disclosure or use.

Ensure the integrity of the customer's and your processed data, and
prevent the unauthorized and undetected modification, substitution, insertion,
and deletion of that data.